GHSA-j2hr-q93x-gxvh

Suggest an improvement
Source
https://github.com/advisories/GHSA-j2hr-q93x-gxvh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-j2hr-q93x-gxvh/GHSA-j2hr-q93x-gxvh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j2hr-q93x-gxvh
Aliases
Published
2024-10-11T16:58:36Z
Modified
2024-10-11T16:58:37Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
SSOReady has an XML Signature Bypass via differential XML parsing
Details

Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior between XML parsers.

Users of https://ssoready.com, the public hosted instance of SSOReady, are unaffected. We advise folks who self-host SSOReady to upgrade to 7f92a06 or later. Do so by updating your SSOReady Docker images from sha-... to sha-7f92a06. The documentation for self-hosting SSOReady is available here.

Vulnerability was discovered by @ahacker1-securesaml. It's likely the precise mechanism of attack affects other SAML implementations, so the reporter and I (@ucarion) have agreed to not disclose it in detail publicly at this time.

Database specific
{
    "nvd_published_at": "2024-10-09T19:15:14Z",
    "cwe_ids": [
        "CWE-347"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-11T16:58:36Z"
}
References

Affected packages

Go / github.com/ssoready/ssoready

Package

Name
github.com/ssoready/ssoready
View open source insights on deps.dev
Purl
pkg:golang/github.com/ssoready/ssoready

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20241009153838-7f92a0630439